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Preface: About This Document 


The latest version of this document can be found on line at: 
http:/ / www.docs.hp.com 


This document describes how to install and configure NIS/LDAP 
Gateway on HP-UX platforms. 


The document printing date and part number indicate the document’s 
current edition. The printing date will change when a new edition is 
printed. Minor changes may be made at reprint without changing the 
printing date. The document part number will change when extensive 
changes are made. 


Document updates may be issued between editions to correct errors or 
document product changes. To ensure that you receive the updated or 
new editions, you should subscribe to the appropriate product support 
service. See your HP sales representative for details. 


Intended Audience 


This document is intended for system and network administrators 
responsible for installing, configuring, and managing NIS/LDAP 
Gateway. Administrators are expected to have knowledge of NIS/LDAP 
Gateway product. 


New and Changed Documentation in This 
Edition 


Change touse kill -s SIGUSR2 $ ( cat /var/run/ypldapd.pid ) 
command to force a refresh of the preloaded maps in the cache. 
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What's in This document 


This manual describes how to install and configure the NIS/LDAP 
Gateway software product. 


The manual is organized as follows: 


Chapter 1 Overview of NIS/LDAP Gateway Use this chapter 
to learn the NIS/LDAP Gateway product features, 
components and client administration tools. 


Installing the NIS/LDAP Gateway Use this chapter 
to learn how to install, configure, and use the 
NIS/LDAP Gateway software. 


Administering the NIS/LDAP Gateway Use this 
chapter to understand how to administer the 
NIS/LDAP Gateway to keep it running smoothly and 
expand it as your computing environment expands. 


Chapter 2 


Chapter 3 


Chapter 4 Command and Tool Reference Use this chapter to 
learn about the commands and tools associated with 


the NIS/LDAP Gateway. 


User Tasks Use this chapter to learn how to change 
passwords and personal information. 


Chapter 5 
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HP Encourages Your Comments 


HP encourages your comments concerning this document. We are truly 
committed to providing documentation that meets your needs. 


Please send comments to: netinfo_feedback@cup.hp.com 


Please include document title, manufacturing part number, and any 
comment, error found, or suggestion for improvement you have 
concerning this document. Also, please include what we did right so we 
can incorporate it into other documents. 
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Overview of NIS/LDAP Gateway 


This chapter provides a high level overview of what the NIS/LDAP 
Gateway product is and how it works. 


The NIS/LDAP Gateway is a Network Information Service (NIS) server 
that uses an LDAP directory as its information source instead of NIS 
map files. The Gateway accepts NIS client requests for information, gets 
the information from an LDAP directory, and returns the information to 
the NIS clients. It effectively replaces your NIS servers and map files 
with an NIS/LDAP Gateway server and an LDAP directory. Existing NIS 
clients transparently use an LDAP directory to resolve user, group, host 
and other information. 


Used in conjunction with LDAP server technologies, such as Netscape’s 
Directory Server, the NIS/LDAP Gateway can consolidate credentials 
and allow a single password per user to be shared among multiple 
platforms and applications. 


The hierarchical and distributed nature of LDAP is substantially more 
scalable than the flat, single domain policy of NIS. The NIS/LDAP 
Gateway allows your organization to leverage the scalability and 
distributed nature of LDAP directory services, while maintaining an 
existing NIS infrastructure. 


The NIS/LDAP Gateway does not include an LDAP directory server. You 
can obtain the single-server Netscape Directory Server 4.x for HP-UX - 
Lite Edition from http:/Awww.software.hp.com, or the fully functioning 
directory server from your local HP sales office. Other directories that 
support LDAP can also be used with this product. 
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Figure 1-1 


Comparing NIS and NIS/LDAP Gateway 


This section describes the NIS/LDAP Gateway environment, compares it 
toNIS, and gives an overview of the steps for migrating to the NIS/LDAP 
Gateway. 


The following diagram shows a typical NIS environment: 


Typical NIS Environment 
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In this NIS environment, the master map files reside on the NIS master 
server. Copies of these map files are periodically transferred to the NIS 
slave systems. The NIS servers run the ypserv daemon which serves the 
information requested by clients. NIS clients run the ypbind daemon 
which establishes a connection to an NIS server, enabling client 
processes to get information from the NIS server. Users can change their 
passwords using the yppasswd command. 


The following diagram shows what this environment might look like 
when converted to an NIS/LDAP Gateway environment: 


Figure 1-2 NIS/LDAP Gateway Environment 
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In the NIS/LDAP Gateway environment, four main differences exist: 
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1. An LDAP directory replaces your NIS master server and NIS maps. 


Map files and map transfers are no longer needed. LDAP replication 
uses more efficient updates instead of complete map builds and 
transfers. 


2. All NIS slave servers become NIS/LDAP Gateway servers. The 


NIS/LDAP Gateway servers run the ypldapd daemon, rather than 
the ypserv daemon. ypldapd requests information from the LDAP 
directory and serves the information back to the NIS clients. 


. NIS dients continue to run the ypbind daemon, which establishes a 


connection to an NIS/LDAP Gateway server, enabling client 
processes to get information from the LDAP directory. 


. Users change their passwords using the |dappasswd command or an 


LDAP administration tool such as a web browser rather than the 
yppasswd command. Users must use an LDAP administration tool 
such as a web browser to change their personal information instead 
of chfn(1) and chsh(1). 


Summary of Installing and Configuring 


The following summarizes the steps to take when moving to an 
NIS/LDAP Gateway environment. 


Install and configure an LDAP directory. 

Install and configure the NIS/LDAP Gateway. 

Migrate your NIS map information to your directory. 
Install |dappasswd on your NIS client systems, if desired. 
Stop the NIS server daemon, ypserv, if necessary 

Start the NIS/LDAP Gateway daemon, ypldapd. 


These steps, plus verification and testing steps, are described in detail in 
Chapter 2, “Installing the NIS/LDAP Gateway,” on page 9. 
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The NIS/LDAP Gateway Components 


The NIS/LDAP Gateway product, comprising the following components, 
can be found under /opt/ldapux/ypldapd, except where noted. 


NIS/LDAP Gateway Components 











namingcontexts.conf 


Component Description 
ypldapd The daemon that replaces the ypserv daemon 
and serves NIS requests from NIS clients. 
ypldapd.conf The NIS/LDAP Gateway configuration file. 


Configuration file that specifies where in the 
LDAP directory each NIS map is. 





init.d 


Contains start-up files. 





lib 


slapd-v2.nis.conf, 
slapd-v3.nis.conf 


Contains libraries used by ypldapd. 





The directory schema for posix account and 
other information (RFC 2307) required by the 
NIS/LDAP Gateway. LDAP version 2 and 
version 3. 





ypldapd.8 








The ypldapd(8) man page. 





The installation process copies the automatic start-up file to 
/etc/rc.config.d/ypldapd and the manual start-up file to 


/sbin/init.d/ypldapd. 
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Client Administration Tools 


The Client Administration Tools listed below can be found under 


/opt/|dapux. 


Client Administration Tools 














Component Description 

Idapdel ete Allows you to delete entries in the 
directory. 

Idapmodify Allows you to add, delete, modify, or 
rename directory entries. All operations 
are specified using LDIF update 
statements. 

Idappasswd Changes passwords in the directory. 
Replaces yppasswd. 

ldapsearch Allows you to search the directory. 


Returns results in LDIF format. 





migrate_all_onlinesh 


migrate_all_nis_onlinesh 


Migrates files to LDIF or to an LDAP 
directory. Uses perl scripts listed below. 


Migrates NIS maps toLDIF or toan 
LDAP directory. Uses perl scripts listed 
below. 





migrate_aliases.pl 


Migrates /etc/aliases to LDIF. 





migrate_base.pl 


migrate_common.ph 


Creates base DN information. 


Routines used by other migration scripts. 





migrate _fstab.pl 


Migrates /etc/fstab to LDIF. 





migrate_group.pl 


migrate_hosts.pl 


Migrates /etc/groups to LDIF. 
Migrates /etc/hosts to LDIF. 





migrate_netgroup.pl 








Migrates /etc/netgroup to LDIF. 
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Client Administration Tools (Continued) 


Component 


migrate_netgroup_byhost 
pl 


Description 


Migrates netgroup.byhost NIS map to 
LDIF. 





migrate_netgroup_byuser 
pl 


migrate_networks.pl 


migrate_passwd.pl 


Migrates netgroup.buyser NIS map to 
LDIF. 


Migrates /etc/networks to LDIF. 
Migrates /etc/passwd to LDIF. 





migrate_protocols.pl 
migrate_rpc.pl 


migrate_services. pl 


Migrates /etc/protocols to LDIF. 
Migrates /etc/rpc to LDIF. 
Migrates /etc/services to LDIF. 





perl, version 5 


README-client, 
README -ypldapd 


Contributed tools 








Used by all the migration scripts. 


Additional documentation files. 


Unsupported tools in /opt/Idapux/contrib. 
See the file 
/opt/Idapux/contrib/bin/README for 
details. 
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Installing the NIS/LDAP 
Gateway 


This chapter describes the decisions you need to make and the steps you 
need to take to install and configure the NIS/LDAP Gateway. 


Before You Begin 


This section lists some things to keep in mind as you plan your 
installation. 


« You must have an LDAP directory. You can obtain the single-server 
Netscape Directory Server for HP-UX - Lite Edition, from 
http://www.software.hp.com, or the fully functioning directory server 
from your local HP sales office. You can view the documentation at 
http://docs.hp.com/hpux/internet. If you have another directory, 
consult the documentation for your directory. 


« Seethe NIS/ LDAP Gateway Rdease Notes (part number 
J 4269-90002) for additional information. 


« Most examples here use the Netscape Directory Server for HP-UX 
and assume you have some knowledge of this directory and its tools, 
such as the Directory Console and Idapsearch. If you have another 
directory, consult your directory’s documentation for specific 
information. 


e The following steps assume you want to emulate the NIS 
environment on HP-UX as closely as possible. You have a lot of 
flexibility to do things differently. Modify these steps as needed for 
your environment. 


« The examples use a root DN of o=hp.com for illustrative purposes. 
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Plan Your Installation and Testing 


Before beginning your installation, you should plan how you will set up 
and test your NIS/LDAP Gateway environment before putting it into 
production. This will be similar to the process used to set up and test an 
NIS environment. Consider the following questions: 


How many LDAP directory servers and replicas will you need? 


Each NIS/LDAP Gateway server binds to an LDAP directory server 
containing your NIS data. Multiple NIS/LDAP Gateway servers can 
bind to a single directory server or replica server. The answer 
depends on your environment, the size and configuration of your 
directory and how many users you have. Depending on these factors, 
you may have anywhere from ten to over one hundred NIS/LDAP 
Gateway servers for each LDAP directory server. 


How many NIS/LDAP Gateway servers will you need? 


This also depends on your environment. A rule of thumb might be to 
have the same number of NIS/LDAP Gateway servers as you have 
NIS servers currently. 


Where will you get your NIS data from when migrating it to the 
directory? 


You can get it from the same source files you create your NIS maps 
from or you can get it from your NIS maps themselves. The key is to 
use up-to-date information. You will probably need to keep your NIS 
maps and your directory in sync for a time while testing. One of the 
contributed tools, Idifdiff, can help you keep your data in sync. 


Where in your directory will you put your NIS data? 


If you are starting with a brand new directory, you will create a new 
subtree. If you already have a directory, you can place your NIS data 
in aseparate, new subtree of the directory. Or you can merge your 
NIS data into your existing directory. 


How will you put your NIS data into your directory? 


If you are starting with a brand new directory, the migration scripts 
can build a new directory subtree for your NIS data. 
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If you have an existing directory and you decide to place your NIS 
data into a new, separate subtree, the migration scripts can build 
and populate this subtree. 


If you merge your NIS data into an existing directory, the migration 
scripts can create LDIF files of your NIS data, but you will have to 
write your own scripts or use other tools to merge the NIS data into 
your directory. 


¢ How will you test your NIS/LDAP Gateway environment? 


You may want to set up a separate group of systems to test it on. Or 
you could install the NIS/LDAP Gateway on one of your existing NIS 
servers or some other system but use a new domain just for testing. 
Then change one or more existing NIS cients’ domains to the new 
domain for testing. When you have things set up and working 
correctly, change the NIS/LDAP Gateway domain to your production 
domain. You can use ypset(1M) to force one or more clients to bind to 
the NIS/LDAP Gateway for testing. If you encounter problems, you 
can stop the NIS/LDAP Gateway and restart ypserv. You can migrate 
one NIS server at a time to the NIS/LDAP Gateway, testing each as 
you go. 





NOTE You cannot run an NIS server (ypserv) and an NIS/LDAP Gateway 
server (ypldapd) simultaneously on the same system. 


¢ How will you communicate with your user community about the 
change? How will your users change their personal information such 
as passwords, login shell, and finger(1) information? 


You can install Idappasswd on your NIS client systems to replace 
yppasswd. Or you can create or purchase web-based tools your users 
can use to update their passwords and other information in the 
directory. Note that at this release, the HP-UX commands chsh(1) 
and chfn(1) do not change information in the directory. 
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Step 1. 


Thecsh(1) shell and finger(1) command request the entire contents of 
the passwd map for certain operations which may result ina 
performance bottleneck. For this reason, you may want to restrict 
use of csh(1) and finger(1). See “Minimizing Enumeration Requests” 
on page 25 for more information. 


¢ How will you put your NIS/LDAP Gateway into production after 
testing? 


One possible way is to convert each NIS server to an NIS/LDAP 
Gateway server, one server at a time, one subnet at a time. When you 
are confident that server is working, convert the next NIS server to 
the NIS/LDAP Gateway. During the transition, you will probably 
need to keep your NIS maps and your directory in sync 


Another possible way is to create a new domain and convert each 
client to the new domain. 


Configure Your Directory 


This section describes how your directory needs to be configured to work 
with the NIS/LDAP Gateway. Examples are given for Netscape Directory 
Server for HP-UX. If you have a different directory, see the 
documentation for your directory for details on how to configure it as 
described here. 


Install the posix schema (RFC 2307) into your directory. 


If you have Netscape Directory Server 4.0 for HP-UX or later, the posix 
schema is already installed. 


For other directories, you can install the schema from 

/opt/Idapux/ypl dapd/etc/slapd-v3.nis.conf for version 3 LDAP directories 
and /opt/I|dapux/ypldapd/etc/slapd-v2.nis.conf for version 2 LDAP 
directories. Depending on the directory you have, include a line like one 
of the following in your configuration file: 
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include /opt/ldapux/ypldapd/etc/slapd-v3.nis.conf 
include /opt/ldapux/ypldapd/etc/slapd-v2.nis.conf 


CAUTION 


Step 2. 


For information on the posix schema (RF C 2307), see http://www.ietf.org. 


Restrict write access to certain passwd attributes of the posix schema. 


Make sure you restrict access to the attributes listed below. Allowing 
users to change them could be a security risk 





aci: (targetattr 
allow (write)userdn = “ldap:///self";) 


Grant write access of the uidnumber, gidnumber, homedirectory, and uid 
attributes only to the directory administrator; disallow write access by 
all other users. Set up access control lists (ACL) so ordinary users cannot 
change these attributes in their password entry in the directory. With 
Netscape Directory Server for HP-UX, you can use the Netscape Console 
or Idapmodify. 


The following access control instruction (ACI) is by default at the top of 
the directory tree for a 4.x Netscape directory. This ACI allows a user to 
change any attribute in their password entry: 


= “*’) (version 3.0; acl “Allow self entry modification”; 
Modify this ACI to the following, which prevents ordinary users from 


changing their uidnumber, gidnumber, homedirectory, and uid 
attributes: 


aci: (targetattr != “uidnumber || gidnumber || homedirectory || uid”) (version 
3.0; acl “Allow self entry modification, except for important posix attributes”; 
allow (write)userdn = “ldap:///self"”;) 
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You may want to restrict write access to other attributes in the password 
entry as well. 


Restrict write access to certain group attributes of the posix schema. 


Grant write access of the cn, memberuid, gidnumber, and userpassword 
attributes only to the directory administrator; disallow write access by 
all other users. Set up access control lists (ACL) so ordinary users cannot 
change these attributes in the posixGroup entry in the directory. With 
Netscape Directory Server for HP-UX, you can use the Netscape Console 
or Idapmodify. 
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For example, the following ACI, placed in the directory at ou=groups, 
ou=nis, o=hp.com, only allows the directory administrator to modify 
entries below ou=groups, ou=nis, o=hp.com: 


(targetattr = "*") (version 3.0;acl "Disallow modification of group 
entries"; deny (write) (groupdn != "ldap:///ou=Directory Administrators, 
o=hp.com");) 


Step 4. 


Step 5. 


Step 6. 


Step 7. 


Grant read access of attributes of the posix schema. 


Grant read access of all posix attributes to all users. If you have 
Netscape Directory Server for HP-UX, you can skip this step since it is 
the default for a typical installation. If you have another directory, make 
sure all users have read access to the posix attributes. 


Establish UNIX crypt as the default encryption. 


Netscape's default is SHA (Secure Hash Algorithm) encryption. With the 
Netscape Directory Console, you can select the Configuration tab, then 
select the “Database” object, then the Passwords tab, and change the 
Password encryption field. 


Index important entries for better performance. 


Since many of your directory requests will be for the attributes listed 
below, you should index these to improve performance. If you don’t index, 
your directory may search sequentially causing a performance 
bottleneck. 


Index on the following attributes: 


* cn 
¢  objectclass 

* memberuid 
¢ uidnumber 
¢ —gidnumber 

e uid 


To index these entries with Netscape Directory Server, use the Console, 
Configuration tab, | ndexes tab, Add Attributes button. 


Create a proxy user. 


Create a proxy user the NIS/LDAP Gateway will use to bind to the 
directory. With Netscape Directory Server for HP-UX, use the Netscape 
Console, Users and Groups tab, Create button. 
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Set access permissions for the proxy user. 


Give the proxy user (created in step 7 above) read permission for the 
user password attribute in the directory. Since the NIS/LDAP Gateway 
daemon, ypldapd, will authenticate to the directory as the proxy user, 
this user needs to be able to read the passwords. The following example 
ACI gives the proxy user, ypldap_proxy, permission to compare, read, and 
search user passwords: 


aci: (target="ldap:///ou=raptor, ou=labteam, o=hp.com") (targetattr="userpassword") 
(version 3.0; acl "ypldapd Proxy userpassword read rights"; allow 
(compare, read, search) userdn = "ldap:///uid=proxy-user, ou=people,o=hp.com"; ) 


Step 9. 


Step 10. 
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For larger directories, increase the Look-through limit. 


The Look-through limit specifies the maximum number of directory 
entries to examine before aborting the search operation. The default for 
Netscape Directory Server 4.x for HP-UX is 5000. If you have a large 
directory, (greater than 2000 entries, for example), you may want to 
increase this. This will be less of a problem for indexed entries since the 
search would examine fewer entries. 


To change this limit in Netscape Directory Server using the Directory 
Console, use the Configuration tab, select the “Database” object, the 
Performance tab, and edit the Look-through limit text box. 


For larger directories, increase the Size limit. 


The Size limit determines the maximum number of entries to return 
to any query before aborting. The default for Netscape Directory Server 
4.x for HP-UX is 2000. If you have a large directory, (greater than 2000 
entries, for example), you should increase this. 


To change this limit in Netscape Directory Server using the Directory 
Console, use the Configuration tab, select the server name, the 
Performance tab, and edit the Size Limit text box. 
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Install the NIS/LDAP Gateway on Your Server 


Use swinstall(1M ) to install the NIS/LDAP Gateway software and the 
Client Administration Tools. See the NIS/ LDAP Gateway Release Notes 
for any last-minute changes to this procedure. You can install the 
NIS/LDAP Gateway server and the LDAP-U X Client Administration 
Tools. 


Import NIS Data into Your Directory 


The next step is to import your NIS data into your LDAP Directory. How 
you do this depends on several factors. Here are some considerations 
when planning this: 


e« The migration scripts take your NIS information and generate LDIF 
files. These scripts can then import the LDIF files into your directory, 
creating new entries in the directory. This only works if you are 
starting with an empty directory or creating an entirely new subtree 
in your directory for your NIS data. 


¢ Your directory architect needs to decide wherein your directory to 
place your NIS information. Here are some possibilities: 


— Create a separate subtree for NIS data - The migration scripts 
can import all your NIS data into the separate subtree. 


— Integrate the NIS information into your directory - The 
migration scripts may be helpful depending on where you put the 
NIS data in your directory. You could use them just to generate 
LDIF, edit the LDIF, then import the LDIF into your directory. 


Steps to !mporting Your NIS Data into Your Directory 


Here arethe steps to importing your NIS data into your directory. M odify 
them as needed depending on your directory. 
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Determine which of your NIS maps you will migrate to your directory. 
ypwhich -m gives a list of maps and their master server. The maps are 
typically in /var/yp/<domainname>. On your client systems, the file 
/etc/nsswitch.conf determines which NIS files the client is using. 


Decide which migration method and scripts you will use. See “NIS to 
LDAP Migration Scripts” on page 35 for a complete description of the 
scripts, what they do, and how to use them. Modify the migration scripts, 
if needed. 


3. Back up your directory, if needed. 


Run the migration scripts. 


5. If the method you used above did not already do so, import the LDIF file 


into your directory. 


Configure the NIS/LDAP Gateway 


Use the following steps to configure your NIS/LDAP Gateway to work 
with your directory server and your NIS domain. 


Edit the configuration file, /opt/ldapux/ypldapd/etc/ypldapd.conf, and set 
the appropriate values. Use the comments in the file as a guide. See also 
“Configuration Parameters” on page 40 for details on all the parameters. 
Provide values at least for the following: 


ypdomain The NIS domain name. 


binddn The directory user the NIS/LDAP Gateway will bind to 
the directory as. You created a proxy user for this 
purpose in step 7 under “Create a proxy user,” on page 


22. 
bindcred The password for the proxy user. 
basedn The Distinguished Name in your directory where the 


NIS/LDAP Gateway should begin all searches. 
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Step 2. 


Step 3. 


The file ypldapd.conf contains the proxy user’s password and could 
represent a security risk. Restricting the permissions on this file reduces 
this risk. 


For testing, you can set yodomain to a new domain, then set the domain 
name of your test clients to that domain. When you finish testing, set it 
to your production domain. 


After you modify the configuration file, you can copy it to your other 
NIS/LDAP Gateway servers. 


Verify that the proxy user can read passwords from your directory. 
The following command 


ldapsearch -D "uid=proxy-user, ou=people,o=hp.com" —h 
servername -w passwd —-b o=hp.com uid=username 
binds to the directory as the proxy user and reads the entry for the user 


username. Change this example to use your proxy user, server, base DN, 
and user. 


You should get output with a line like the following: 
userpassword={crypt}d921F18SMks12k24 


If you don’t, your proxy user may not be configured properly. Make sure 
you have access permissions set correctly for the proxy user. See 
“Troubleshooting” on page 28 for more information. 


If you want the NIS/LDAP Gateway to automatically restart after 
rebooting your system, edit the file /etc/rc.config.d/ypldapd and set 
YPLDAPD=1. 


If you do this, you should also edit /etc/rc.config.d/namesvrs and set 
NIS MASTER_SERVER=0 and NIS SLAVE _SERVER=0sotheNIS 
server does not automatically restart after rebooting. 
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Start the NIS/LDAP Gateway Server Daemon 
If the NIS daemon is running on the same system as your NIS/LDAP 
Gateway server, stop the NIS daemon: 

/sbin/init.d/nis.server stop 


Start the NIS/LDAP Gateway daemon. If YPLDAPD=0 in the file 
/etc/rc.config.d/ypldapd, use the following command: 
/opt/ldapux/ypldapd/sbin/ypldapd 

If YPLDAPD=1 in the file /etc/rc.config.d/ypldapd, use the following 
command: 

/sbin/init.d/ypldapd start 


Totest all servers on a subnet, repeat the above steps for each NIS server 
on the local subnet. 


Test the NIS/LDAP Gateway 


This section describes some simple ways you can test the installation and 
configuration of your NIS/LDAP Gateway. You may need to do more 
elaborate and detailed testing, especially if you have a large 
environment. 


The following procedure assumes you have created a new NIS domain 
called test-l1dap for testing purposes. Modify these commands as 
needed for your environment. 


On an NIS client system, log in as root and change the domain by editing 
the file /etc/rc.config.d/namesvrs. Change the line containing 
NIS_ DOMAIN to: 


NIS_DOMAIN=test-—ldap 


On the same NIS client system logged in as root, restart the NIS client 
process: 
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/sbin/init.d/nis.client stop 
/sbin/init.d/nis.client start 
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Step 3. Usethell(1) command to examine any files and make sure the owner 


Step 


Step 


Step 


Step 


Step 


and group of each file are accurate: 
11 /tmp 


If any owner or group shows up as a number instead of a user or group 
name, respectively, the NIS/LDAP Gateway is not functioning properly. 


. Create a new file and change the file’s owner to another user: 


cd /tmp 

touch file 

chown newuser file 
11 file 


where newuser is the name of a different user. The final I|(1) command 
should display the file owned by the new user. 


. Login tothe client system as an ordinary user, that is, anon-root user, in 


the directory and not in /etc/passwd. If this fails, see “Troubleshooting” 
on page 28. 


. Once you've logged in as an ordinary user, check to see if your NIS/LDAP 


Gateway is serving the NIS client by giving the following command on 
the client system: 


domainname 


. Display one of your maps with a command like the following: 


ypcat group | more 


. Repeat steps 3 and 4 above logged in as an ordinary user. 


Put the NIS/LDAP Gateway into Production 


This section describes how you can put the NIS/LDAP Gateway into 
production in your environment, after you've completed all the 
verification and testing you need, determined how you will administer 
your directory, and informed your user community about the change. You 
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can stop each NIS server and start the NIS/LDAP Gateway server, one 
system at a time, completing each subnet one at a time. Modify these 
commands as needed for your environment. 


. If you decide to use Idappasswd, install it on the appropriate systems. 
2. Install the NIS/LDAP Gateway on an NIS server. 
. Copy the ypldapd.conf file from another NIS/LDAP Gateway server. 


Modify it, if necessary, for example if you have multiple directory servers 
to distribute the load among or to set the domain to your production 
domain. See “Configuration Parameters” on page 40 for details. 


. Stop the NIS server daemon on your NIS server system. Log in to the 


server as root and enter the following command: 


/sbin/init.d/nis.server stop 


. Edit the file /etc/rcconfig.d/namesvrs and change 


NIS_MASTER_SERVER=0 and NIS _SLAVE_SERVER=40. 


. If you want the NIS/LDAP Gateway to restart automatically after 


rebooting, edit the file /etc/rc.config.d/ypldapd and set YPLDAPD=1. 


. Start the NIS/LDAP Gateway server. If YPLDAPD=0 in the file 


/etc/rc.config.d/ypldapd, use the following commana: 


/opt/ldapux/ypldapd/sbin/ypldapd 


If YPLDAPD=1 in the file /etc/rc.config.d/ypldapd, use the following 
command: 


/sbin/init.d/ypldapd start 


. Repeat steps 2 through 7 above for each NIS server on a subnet. See 


“Test the NIS/LDAP Gateway” on page 19 for suggestions on testing. If 
you encounter any problems, see “Troubleshooting” on page 28. 
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This chapter describes how to administer the NIS/LDAP Gateway to 
keep it running smoothly and expand it as your computing environment 
expands. It describes the following topics: 

e “Starting and Stopping the NIS/LDAP Gateway” on page 23 

e« “Enabling Automatic Restart” on page 24 

e “Adding a Client System” on page 24 

e« “|mproving Performance” on page 25 


¢« “Troubleshooting” on page 28 


Starting and Stopping the NIS/LDAP Gateway 


How you start and stop the NIS/LDAP Gateway depends on whether 
automatic restarting is enabled in the file /etc/rc.config.d/ypldapd. See 
“Enabling Automatic Restart” on page 24 for more information. 


Start the NIS/LDAP Gateway, logged in as root, with a command like one 
of the following. 


If automatic restart is enabled (YPLDAPD=1 in /etc/rc.config.d/ypldapd), 
use the following command: 


/sbin/init.d/ypldapd start 


If automatic restart is disabled (Y PLDAPD=0 in /etc/rc.config.d/ypl dapd), 
use the following command: 


/opt/ldapux/ypldapd/sbin/ypldapd 


Stop the NIS/LDAP Gateway, logged in as root, with a command like one 
of the following. 


If automatic restart is enabled (YPLDAPD=1 in /etc/rc.config.d/ypldapd), 
use the following command: 


/sbin/init.d/ypldapd stop 


If automatic restart is disabled (YPLDAPD=0 in /etc/rc.config.d/ypldapd), 
use one of the following commands: 
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kill $(cat /var/run/ypldapd.pid) # default pid file locatio 
kill pid 

where pid is the process identifier of the ypldapd daemon. You can find 
this from the pidfile parameter in /opt/|dapux/ypldapd/etc/ypldapd.conf, 
(The default pidfile is /var/run/ypldapd.pid.) or by a command like the 
following: 

ps -ef | grep ypldapd 


See “The ypldapd Command” on page 31 or the ypldapd(8) man page for 
more information. 


Enabling Automatic Restart 


If you want the NIS/LDAP Gateway to restart automatically after 
rebooting the system, edit the file /etc/rc.config.d/ypldapd and set 
YPLDAPD=1. To disable automatic restarting, set YPLDAPD=0. 


See also “Starting and Stopping the NIS/LDAP Gateway” on page 23. 


Adding a Client System 


Adding an NIS/LDAP Gateway client is essentially the same as adding 
an NIS client except for |dappasswd or whatever means you give your 
users for changing their password and other personal information. 


For more information, see “To Change Passwords” on page 53 and “To 
Change Personal Information” on page 53 and “The |dappasswd 
Command” on page 32. 


For NIS information see “To Enable NIS Client Capability” in Installing 
and Administering NFS Services available at 
http://docs.hp.com/hpux/communi cations. 
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Improving Performance 


This section lists some ways you can improve the performance of your 
NIS/LDAP Gateway server. 


Minimizing Enumeration Requests 


Enumeration requests are directory queries that request all of a map. 
For example, the command ypcat passwd iS an enumeration request 
because it requests all of the passwd map. An 11 command would not be 
an enumeration request since it only requests specific pieces of 
information from maps. 


Certain HP-UX operations enumerate a map from the NIS/LDAP 
Gateway server. For example, csh(1) requests the entire group map at 
login. finger(1) requests the entire passwd map whenever it runs. 
Applications written with the getpwent(3C) family of routines can 
enumerate a map. If these maps are large, these enumeration requests 
could cause other NIS/LDAP Gateway client requests to block waiting for 
the enumeration request to complete. For example, a user doing a simple 
11(1) command could see a delay in response if another user is logging in 
with csh(1) or using the finger(1) command. If the delay is long enough, 
the request may time out and the client may try to rebind to another 
server. To minimize these situations, you may want to restrict use of the 
above mentioned commands. 


You can also improve performance of enumeration requests by 
preloading maps as described in “Preloading the Cache with NIS Maps” 
on page 26. 


Using Additional Processes to Handle Enumeration Requests 


One way to reduce the impact of enumeration requests is to allow 
ypldapd to fork separate processes to handle them thus avoiding tying up 
ypldapd for the duration of the enumeration requests. Do this by setting 
the maxchildren parameter. This parameter specifies the maximum 
number of processes ypldapd will fork when doing enumeration requests. 
See also “Maximum Number of Processes” on page 49. 
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Caching 


This section discusses how the NIS/LDAP Gateway caches data from the 
directory and how you can control aspects of caching to improve 
performance. 


Enabling Caching 


The NIS/LDAP Gateway server can cache data from the directory to 
reduce the load on the directory and improve overall performance of NIS 
operations. You enable caching by setting the caching parameter in the 
ypldapd.conf file to on. See “Enable or Disable Caching” on page 47 for 
more information. 


Preloading the Cache with NIS Maps 


You can configure ypldapd to preload certain NIS maps into the cache. 
Preloading ensures the cache is always kept current with these maps. 
This is particularly beneficial for the passwd map and the group map as 
these are often the largest and most enumerated maps. However, the 
more maps you preload, the longer the NIS/LDAP Gateway takes to start 
up. 


Use the preload_cache parameter in ypldapd.conf. For example, the 
following command specifies preloading of the passwd.byname map and 
group.byname map: 


preload_cache passwd.byname group.byname 


For information on the preload_cache parameter see “Preload Maps into 
the Cache” on page 48. 


For best overall performance, you should turn off ypall_ caching by 
setting the ypall_ caching parameter to “no” in the file ypldapd.conf and 
use preloaded maps instead. See “Preload Maps into the Cache” on 
page 48 for more information. 
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Setting the Frequency of Cache Refreshing 


You can specify how often the cache is refreshed with the 
cache_dump_interval parameter as described in “Cache Lifetime” on 
page 48. All preloaded maps will be refreshed periodically, as specified by 
cache_dump _interval. Maps not preloaded will be flushed, not refreshed. 
Future client requests will refill the cache. 


The cache _dump_value you use depends on how often you want the 
cache to be updated, how often information in your directory changes, 
and how large your preloaded maps are. The larger the 
cache_dump_interval, the less frequently the preloaded maps in the 
cache will be updated. The smaller the cache dump interval, the more 
frequently the preloaded maps in the cache will be updated. If you or 
another user updates the directory, the preloaded maps will not reflect 
the change until the cache is refreshed. Idappasswd, however, is a special 
case. When a user changes their password, |Idappasswd marks that 
password entry in the cache as stale. 


One strategy is to set the cache dump interval to 60 if your maps are 
greater than 1 megabyte. This will refresh the cache once an hour. | f your 
maps are smaller then 1 megabyte, set the cache_dump_ interval to 
something less than an hour. The more maps you preload, the larger 
your cache_dump interval should be 


Forcing a Refresh of the Cache 


You can use the following command to force a refresh of the preloaded 
maps in the cache: 
kill -s SIGUSR2 $( cat /var/run/ypldapd.pid ) 


This assumes the file /var/run/ypldapd.pid contains the process identifier 
of the ypldapd daemon. You configure this with the pidfile parameter in 
the configuration file as described under “PID File” on page 51. 


The kill -s SIGUSR2 $( cat /var/run/ypldapd.pid ) command 
only applies to HP-UX 11i version2. 


You can use the following command to log the cache statistics and state 
information via syslog: 
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kill -s SIGUSR1 $( cat /var/run/ypldapd.pid ) 
This only applies to HP-UX 11i version2. 


Troubleshooting 


This section lists problems you may encounter, how to troubleshoot and 
solve them. 


Log Files 


You can check log files to see if any unusual incidents have occurred with 
the NIS/LDAP Gateway or your directory. The NIS/LDAP Gateway logs 
important events and errors to the file /var/adm/syslog/syslog.log. The 
Netscape Directory Server for HP-UX logs information to files in the logs 
directory under /var/opt/netscape/server4/slapd-<serverID>where 
slapd-<serverID> is the name of your directory server. 


User Cannot Log on to Client System 
If a user cannot login toa client system, perform the following checks. 


« Makesure the NIS/LDAP Gateway daemon, ypldapd, is running. 
Use the following commana: 


ps -ef | grep ypldapd 


If it is not running, restart it as described in “Starting and Stopping 
the NIS/LDAP Gateway” on page 23. 


e MakesuretheNIS daemon, ypserv, is not running. Use the following 
command: 


ps -ef | grep ypserv 
If it is running, stop it with a command like the following: 


/sbin/init.d/nis.server stop 
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Makesure ypldapd can authenticate to the directory. If you are using 
a proxy user (determined by the binddn parameter in the file 
/opt/Idapux/ypl dap/etc/ypldapd.conf), try searching for one of your 
user's information in the directory with a command like the 
following: 


ldapsearch -D "uid=proxy-user, ou=people,o=hp.com" —h 
servername -w passwd —b “o=hp.com” uid=username 


using the name of your directory server, proxy user, user name, and 
password. 


You should get output with a line like the following: 
userpassword={crypt}d921F18SMks12k24 


If you don’t, your proxy user may not be configured properly. Make 
sure you have access permissions set correctly for the proxy user. See 
“Configure Your Directory” on page 12 for details on configuring the 
proxy user. 


You can alsotry binding to the directory as the directory 
administrator and reading the user’s information. 


Use the Netscape Directory Console to authenticate to the directory 
as the directory administrator. Check the ACLs for the proxy user. 
Make sure the proxy user can view the userpassword attribute and 
all the attributes listed below. If not, change the ACI to allow this. 
Make sure all users can read their own information. If they cannot, 
change the ACI to allow this. 


Make sure all users have the following attributes and can read them: 


— posixaccount 
— loginshell 

— uidnumber 
— uid 

— gidnumber 
— memberuid 
— homedirectory 


Make sure UNIX crypt is the default encryption. Verify in Netscape 
with a command like the following: 


ldapsearch -b “o=hp.com” -D “AdminDN" -w “AdminPw" 
uid=username 
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where Adminbn is the directory administrator's relative 
distinguished name, AdminPw is the administrator’s password, and 
username is the name of a user in the directory. The user must be an 
inetorgperson or posixaccount. 


The output should show something like the following: 
userPassword: {crypt}3Adkd9D2s9234sf 
If it shows either of the following: 


userPassword: {sha}3Adkd9D2s9234sf 
userPassword: mypass123 


change it to use crypt encryption. sha indicates secure hash 
algorithm encryption and no bracketed text indicates a clear text 
password. 


You can also check the default encryption in the Directory Console. 
Select the Configuration tab, then select the “Database” object, then 
the Passwords tab, and check the Password encryption field. 


Make sure that hidden passwords are disabled. The 
hide_passwords parameter in ypldapd.conf should be set to no. 


Try restarting the client with a command like the following: 


/sbin/init.d/nis.client stop 
/sbin/init.d/nis.client start 
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This chapter describes all the commands and tools associated with the 
NIS/LDAP Gateway: 


« ‘“Theypldapd Command” on page 31 describes the NIS/LDAP 
Gateway daemon and command and its parameters. 


« ‘“Theldappasswd Command” on page 32 describes the command that 
changes passwords in your directory. 


« “LDAP Directory Tools” on page 34 briefly describes the tools 
Idapsearch, |dapmodify, and Idapdelete. 


« “NIS toLDAP Migration Scripts” on page 35 describes the shell and 
perl scripts that migrate your NIS data to your LDAP directory. 


¢ “Configuration Parameters” on page 40 describes the various 
parameters for configuring ypldapd in the file ypldapd.conf. 


The ypldapd Command 


This section describes the ypldapd command and its parameters. See 
also the yp|dapd(1) man page. 


ypldapd is the command you use to start the NIS/LDAP Gateway 
daemon. It is a server process that provides information to any process 
that makes rpc calls to the NIS client routines. This includes any process 
that calls the standard UNIX naming service routines, such as 
getpwent(3C), gethostent(3C) and so forth, as well as the special tools 
ypcat(1) and ypmatch(1) provided as part of the NIS product. 


ypldapd emulates the equivalent process ypserv by providing an RPC 
call-compatible interface. Rather than consulting NIS map files as 
ypserv does, however, ypldapd gets its data from LDAP directories. 
Communication to and from ypldapd is by means of RPC calls. Lookup 
functions are described in ypclnt(3N), and are supplied as C-callable 
functions in /lib/libe. 


You can configure ypldapd to cache the information it gets from the 
LDAP directory to improve performance and reduce network traffic. For 
more information on caching, see “I mproving Performance” on page 25. 
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Syntax 

ypldapd [-v] [-c configfile] 

where 

-v displays the version number of the software. Include 


this number when reporting problems. 
-c configfile 


allows you to specify an alternate configuration file. 
The default configuration file is 
/opt/ldapux/ypldapd/etc/ypl dapd.conf. 


You must execute this command logged in as root. See also “Starting and 
Stopping the NIS/LDAP Gateway” on page 23. 


Examples 


The following command starts the NIS/LDAP Gateway daemon: 
/opt/ldapux/ypldapd/sbin/ypldapd 


The following command starts the NIS/LDAP Gateway daemon using 
/tmp/ypldapd.conf as its configuration file: 


/opt/ldapux/ypldapd/sbin/ypldapd -c /tmp/ypldapd.conf 
See also “Starting and Stopping the NIS/LDAP Gateway” on page 23. 


The Idappasswd Command 


This section describes the Idappasswd command and its parameters. 


The Ildappasswd program, installed in /opt/|dapux/bin, allows users to 
change their passwords in the directory. Changing a user’s password 
with Idappasswd marks the cache entry for that user as stale, if caching 
is enabled. Idappasswd assumes an LDAP directory server that supports 
{crypt}format. (For more information, see passwd(1) and crypt(3C).) 


Syntax 


ldappasswd [options] 
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where options can be any of the following: 


-b basedn 


-h host 


-c 


—-Vv 


-p port 


-D binddn 


-w passwd 


-1 login 


specifies basedn as the base distinguished name of 
where to start searching. If ypldapd is running, then 
this is not required. 


specifies host as the LDAP server name or IP address. 
If ypldapd is running, then this is not required. 


generates an encrypted password on the client. Use 
this parameter for directories that do not automatically 
encrypt passwords. The default is to send the new 
password in plain text to the directory. Netscape 
Directory Server 4.x for HP-UX supports automatic 
encryption of passwords. 


prints the software version and exits. 


specifies port as the LDAP server TCP port number. 


specifies binddn as the bind distinguished name 


specifies passwd as the bind password (for simple 
authentication). 


specifies Login as the uid of the account to change; 
defaults to the current user. 


If the NIS client is configured to an NIS/LDAP Gateway server, the -b, -h, 
-p, -D, -w, and -l options are not required. These options are useful for 
changing a password from a system that is not an NIS client or for 
changing another user’s password. 


Examples 


The following command changes the password in the directory for the 
currently logged in user: 


ldappasswd 


33 


Command and Tool Reference 


LDAP Directory Tools 


34 


The following command changes the password in the directory for the 
user steves: 


ldappasswd -l steves 


LDAP Directory Tools 


This section briefly describes the tools |Idapsearch, |dapmodify, and 
Idapdelete. These tools are described in detail in the Netscape Directory 
Server for HP-UX Administrator’s Guide available at 
http://docs.hp.com/hpux/internet. 


Additional tools are available in the directory /opt/Idapux/contrib/bin, 
however these tools are unsupported. See the file 
/opt/Idapux/contrib/bin/README for more information. 


Idapsearch 


You use the ldapsearch command-line utility to locate and retrieve LDAP 
directory entries. This utility opens a connection to the specified server 
using the specified distinguished name and password, and locates 
entries based on the specified search filter. Search results are returned in 
LDIF format. For details, see the Netscape Directory Server for HP-UX 
Administrator’s Guide available at http://docs.hp.com/hpux/internet. 


Idapmodify 


You use the Idapmodify command-line utility to modify entries in an 
existing LDAP directory. Idapmodify opens a connection to the specified 
server using the distinguished name and password you supply, and 
modifies the entries based on the LDIF update statements contained ina 
specified file. Because Idapmodify uses LDIF update statements, 
Idapmodify can do everything Idapdel ete can do. For details, see the 
Netscape Directory Server for HP-UX Administrator’s Guide available at 
http://docs.hp.com/hpux/internet. 
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Idapdelete 


You use the delete command-line utility to delete entries from an 
existing LDAP directory. Idapdelete opens a connection to the specified 
server using the distinguished name and password you provide, and 
deletes the entry or entries. For details, see the Na&tscape Directory Server 
for HP-UX Administrator's Guide available at 
http://docs.hp.com/hpux/internet. 


NIS to LDAP Migration Scripts 


This section describes the shell and perl scripts that can migrate your 
NIS data either from source files or NIS maps to your LDAP directory. 
These scripts are found in /opt/l\dapux/migrate. The two shell scripts 
migrate_all_online.shand migrate_all_nis_online.sh migrateall 
your NIS maps, while the perl scripts migrate_aliases.pl, 
migrate_group.pl, migrate_hosts.pl, and soforth, migrate individual 
NIS maps. The shell scripts call the perl scripts. 


The migration scripts require perl, version 5 or later, which is installed 
with the NIS/LDAP Gateway in /opt/ldapux/contrib/bin/perl. 


Naming Context 


The naming context specifies where in your directory your NIS data will 
be, under the base DN. For example, if your base DN is 
“ou=N1S,o=hp.com,” the passwd map would be at 

“ou=P eople, ou=N1S,o=hp.com”. Table 4-1 shows the default naming 
context. The default will work in most cases. 


Default Naming Context 





Location in the Directory 








Map Name Tree 
passwd ou=People 
group ou=Groups 











aliases ou=mailGroups 
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Default Naming Context (Continued) 


Location in the Directory 


Map Name Tree 


fstab ou=M ounts 





netgroup.byuser | nisMapName=netgroup.byuser 


netgroup.byhost | nisMapName=ngetgroup.byhost 








netgroup ou=N etgroups 
hosts ou=Devices 
networks ou=tcpl p 
protocols ou=tcpl p 

rpc ou=tcpl p 
services ou=tcpl p 








If you change the default naming context, modify the file 
migrate_common.ph and change it to reflect your naming context. You 
must also change the file /opt/l dapux/ypldapd/etc/namingcontexts. conf. 
See also “Naming Context Mappings” on page 42. 


Migrating All Your Files 


The two shell scripts migrate_all_online.sh and 
migrate_all_nis_online.sh migrateall your NIS maps either to LDIF 
or into your directory. Themigrate_all_online.sh shell script gets NIS 
information from the appropriate source files, such as /etc/passwd, 
/etc/group, /etc/hosts, and so forth. The migrate_all_nis_online.sh 
script gets NIS information from your NIS maps using the ypcat(1) 
command. The scripts take no parameters but prompt you for needed 
information. They also prompt you for whether to leave the output as 
LDIF or to add the entries to your directory. These scripts call the perl 
scripts described under “Migrating Individual Files” on page 37. You may 
need to modify these scripts to work in your environment. 
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The scripts use |dapmodify to add entries to your directory. If you are 
starting with an empty directory, it may be faster for you to use 1dif2db 
or ns-slapd 1dif2db with theLDIF file. See the Netscape Directory 
Server Administrator’s Guide for details on 1dif2db and ns-slapd. 


If any entry in the migrated LDIF fileis already in your directory, the 
script will stop at that point. The entries previous to the duplicate will be 
in the directory. To continue, you can edit the LDIF files to remove the 
entries already added up to the duplicate, resolve the duplicate, then 
continue adding the remaining entries. Alternatively you can remove the 
entries from the directory that were already added, resolve the duplicate, 
then re-add all the entries from the LDIF file. 


Migrating Individual Files 


The following perl scripts migrate each of your NIS source files in /etc to 
LDIF. These scripts are called by the shell scripts described under 
“Migrating All Your Files” on page 36. The perl scripts get NIS 
information from the input source file and output LDIF. 

Environment Variables 


When using the perl scripts to migrate individual files, you need to set 
the following environment variable: 


LDAP_BASEDN The base distinguished name where you want your 
data. 


For example, the following command sets the base DN to “o=hp.com”: 


export LDAP_BASEDN=”o0=hp.com” 

General Syntax for Perl Migration Scripts 

All the perl migration scripts use the following general syntax: 
scriptname inputfile [outputfile] 

where 


scriptname is the name of the particular script you are using. The 
scripts are listed below. 
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inputfile is the name of the appropriate NIS source file 


corresponding to the script you are using. 


outputfile is optional and is the name of the file where the LDIF 


is written. stdout is the default output. 


Migration Scripts 


The migration scripts are: 


migrate_aliases.pl migrates aliases in /etc/aliases to LDIF 
information, conforming to the RFC 822 MailGroup schema. 


migrate_base.pl creates base DN information. 
migrate_fstab.pl migrates file system information in /etc/fstab. 
migrate_group.pl migrates groups in /etc/group. 
migrate_hosts.pl migrates hosts in /etc/hosts. 


migrate_netgroup.pl migrates netgroups in /etc/netgroup. 





migrate_netgroup_byhost .p1 migrates the netgroup.byhost map. 
This script must be run as root because it calls /usr/sbin/revnetgroup. 





migrate_netgroup_byuser.pl migrates the netgroup.byuser map. 
This script must be run as root because it calls /usr/sbin/revnetgroup. 





migrate_networks.pl migrates networks in /etc/networks. 
migrate_passwd.pl migrates users in /etc/passwd. 
migrate_protocols.pl migrates protocols in /etc/protocols. 


migrate_rpc.pl migrates RPCs in /etc/rpc. 





migrate_services.pl migrates services in /etc/services. 





migrate_common.ph is a Set of routines and configuration 
information all the perl scripts use. 


Examples 


The following are some examples using the migration scripts. 


The following command converts all NIS files in /etc to LDIF: 


S$ migrate_all_online.sh 
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The following commands convert /etc/passwd into LDIF and output it to 
stdout: 


S$ export LDAP_BASEDN=”"dc=aceindustry, dc=com” 
S$ migrate_passwd.pl /etc/passwd 


dn: 

uid=jbloggs, ou=People, dc=aceindustry, dc=com 
uid: jbloggs 
cn: Joe Bloggs 
objectclass: top 
objectclass: posixAccount 
objectclass: account 
userPassword: {crypt }daCXgaxahRNkg 
loginShell: /bin/ksh 
uidNumber: 20 
gidNumber: 20 
homeDirectory: /home/jbloggs 
gecos: Joe Bloggs, 42U-C3,555-1212 





The following commands convert /etc/group into LDIF and place the 
result in /tmp/group.Idif: 


$ export LDAP_BASEDN="o0=hp.com” 
S$ migrate_group.pl /etc/group /tmp/group.1ldif 


dn: 
cn=mira.aceindustry.com, ou=Groups, o=hp.com 

objectclass: posixGroup 

objectclass: top 

ipHostNumber: 10.1.70.5 

cn: mira 

cn: www.hp.com 

cn: mira.hp.com 

userPassword: {crypt}* 

gidNumber: 325 


The following command migrates /etc/hosts: 


migrate_hosts.pl /etc/hosts 
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Configuration Parameters 


You can change the NIS/LDAP Gateway’s run-time configuration 
parameters in the file /opt/Idapux/ypldapd/etc/ypldapd.conf. This section 
describes these parameters in detail. 


Because the configuration file contains a password, you should protect it 
by making the file only accessible by root. Use a command like the 
following: 


chmod 600 ypldapd.conf 


Changing Configuration Parameter Values 


You can change configuration parameter values by editing the 
/opt/|dapux/ypl dapd/etc/ypldapd.conf file. Each entry in the file consists 
of a key word, followed by white space, followed by the value for that 
parameter. Any line starting with a pound sign or hash symbol (# is 
treated as a comment and ignored. 


NIS Domain to Serve 


Specifies the NIS domain that the NIS/LDAP Gateway serves. See 
domainname 1) for more information. 


Required. 


Syntax 
ypdomain domain-name 


where domain-name is the domain name ypldapd is to serve. 


Example 


ypdomain dev-team 
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LDAP Server Name 


Specifies the host name of your LDAP server. The host’s |P address must 
be resolvable without consulting NIS (through NIS or /etc/hosts) or 
specified in dotted decimal notation, to avoid reentrancy problems. It is 
suggested you use a DNS name (and configure /etc/nsswitch.conf to 
perform host lookups in DNS before NIS) or an1P address. 


Required. 

Syntax 

Idaphost server—-name 

where server-name is a host name or IP address. 
Example 


Idaphost nis-ldap 
Idaphost 15.0.96.234 


LDAP Protocol Version 


Specifies the version of the LDAP protocol your directory server is using. 
Optional. 


Default Value 
2 


Valid Range 
2| 3 


Syntax 


Idapversion integer 


Example 


Idapversion 3 
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Search Base DN 


Specifies the Distinguished Name in your directory where the NIS/LDAP 
Gateway should begin all searches. 


Required. 
Syntax 


basedn DN 


Example 
basedn o=hp.com 


basedn dc=aceindustry, dc=com 


Naming Context Mappings 


Specifies the file containing name mappings from NIS names to 
distinguished names in your directory. The default mappings are in the 
file /opt/Idapux/ypl dapd/etc/namingcontexts.conf. The default mappings 
will work in most cases. Edit this file if you put your NIS data in other 
than the default places. See also “Naming Context” on page 35. 


Optional. 

Default Value 

namingcontexts namingcontexts.conf 

where namingcontexts.conf is found in /opt/ldapux/ypldapd/etc/. 
Syntax 

namingcontexts filename 

Example 


namingcontexts namingcontexts.conf 


Bind DN 


Specifies the distinguished name of the proxy user the NIS/LDAP 
Gateway uses to bind to the directory. 


Optional. 
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Default value 


The default is to bind anonymously. 


Syntax 


binddn pv 


Example 
binddn cn=Directory M anager 


binddn cn=proxyuser, ou=people, o=hp.com 


Bind DN Password 


Specifies the credentials or password of the proxy user the NIS/LDAP 
Gateway uses to bind to the directory. See “Bind DN” above. 


Optional, but required if using a proxy user. 


You should protect this password in your configuration file by making the 
file ypldapd.conf only accessible by root with a command like the 
following: 


chmod 600 ypldapd.conf 


Syntax 


bindcred credential 
Example 


bindcred I|dap1234 


LDAP Port 


Specifies the TCP port number for the NIS/LDAP Gateway to connect to 
your LDAP directory server. 


Optional. 
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Default 
389 


Syntax 


Idapport integer 


Example 
Idapport 6249 


LDAP Search Scope 


Specifies how deep the NIS/LDAP Gateway should go when searching 
your directory. 


Optional. 


Default 


sub 


Valid Range 
sub| one| base 
where: 


*« sub means the NIS/LDAP Gateway is to search the base DN and all 
of its descendants; that is, the entire subtree. 


* one means search only the immediate children of the base DN; that 
is, one level down. 


* base means search only the base DN. This value should not be used 
as it is too restrictive, effectively preventing searching below the 
base DN. 


Syntax 


scope level 


Example 


scope one 
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LDAP Alias Dereference Policy 


Specifies how the NIS/LDAP Gateway should handle aliases when 
searching your LDAP directory server. 


Optional. 


Netscape Directory Server for HP-UX implements referrals instead of 
alias dereferencing. See the Netscape Directory Server Deployment Guide 
for details on referrals. 


Default 


deref never 


Valid Range 
never | find| search| always 
where: 


* never means the NIS/LDAP Gateway should never dereference 
aliases. 


e find means dereference only when finding an alias. 
* search means dereference only when searching. 


¢ always means dereference always. 


Syntax 


deref level 
Example 


deref never 


Fall Through to NIS 


Specifies whether the NIS/LDAP Gateway should search an NIS domain 
if the requested information is not found in the LDAP directory. 


Optional. 
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Default 


extended on 


Valid Range 


on | off 


Syntax 


extended Boolean 


Example 
extended off 


Parent NIS Domain 


Specifies the NIS domain to fall through to if the needed information is 
not found in the directory. Maps not supported by the NIS/LDAP 
Gateway and maps already fulfilled by the directory will be 
supplemented by binding to the specified NIS parentdomain. 


Optional. 


Syntax 


parentdomain domainname 


Example 


parentdomain nisusers 


Fall Through to DNS 


Specifies whether the NIS/LDAP Gateway should search a DNS server if 
the requested host information is not found in the LDAP directory. 


Optional. 


Default 


dns_lookups on 
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Valid Range 
on | off 
Syntax 


dns _lookups Boolean 


Example 


dns_lookups off 


Search Time Limit 


Specifies how long, in seconds, the NIS/LDAP Gateway should search the 
directory before aborting the search operation. 


Optional. 

Default 

The default is no timeout. 

Valid Range 

0 to 232 (0 means no time limit on searches.) 
Syntax 

timelimit integer 


Example 
timelimit 6000 


Enable or Disable Caching 


Specifies whether the NIS/LDAP Gateway should cache information 
from the directory. See “Caching” on page 26 for more information. 


Optional. 


Default 


caching on 
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Valid Range 
on | off 
Syntax 


caching Boolean 


Example 


caching off 


Cache Lifetime 


Specifies how often, in minutes, the NIS/LDAP Gateway should refresh 
the preloaded maps in the cache and flush all other maps from the cache. 
See “Setting the Frequency of Cache Refreshing” on page 27 for more 
information. 


Optional. 

Default 

cache_dump_interval 15 

Valid Range 

0 to 234 (0 means never refresh the cache) 
Syntax 

cache_dump interval integer 


Example 


cache_dump_interval 30 


Preload Maps into the Cache 


Specifies what maps, if any, should be preloaded into the cache. Caching 
must be enabled with the caching parameter as described in “Enable or 
Disable Caching” on page 47. See also “Caching” on page 26. 


Optional. 
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Default 


No maps preloaded into the cache 


Syntax 


preload_maps mapname [mapname2 [... mapnameN]] 
Recommended 
preload_maps group.byname 


Example 


preload_maps passwd group hosts 


Maximum Number of Processes 


Specifies the maximum number of processes to fork for enumeration 
requests. See “Minimizing Enumeration Requests” on page 25 for more 
information. 


Optional. 


Default 

maxchildren 0 
Recommended 

5 or greater 

Syntax 

maxchildren integer 


Example 


maxchildren 10 


Use Caching for Enumeration Requests 


Specifies whether enumeration requests use caching. Filling the cache on 
an enumeration request can tie up the NIS/LDAP Gateway daemon for a 
long time, delaying service of other NIS requests, causing clients to fail 
or rebind to another server. 
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You should preload maps instead of caching enumeration requests. See 
“Preload Maps into the Cache” on page 48. See also “Minimizing 
Enumeration Requests” on page 25 for more information. 


Optional. 


Default 
ypall_ caching off 


Valid Range 
on | off 
Recommended 


ypall_ caching off 


Syntax 


ypall_caching Boolean 
Example 


ypall_ caching off 


NIS Master Host Name 


Specifies the NIS domain the ypwhich command should return. By 
default, ypwhich returns the name of the local host. 


Optional. 


Syntax 


ypmaster hostname 


Example 


ypmaster nisserver 


Chapter 4 


NOTE 


Chapter 4 


Command and Tool Reference 
Configuration Parameters 


PID File 


Specifies the file in which to write the process identifier (PID) for the 
N!IS/LDAP Gateway daemon, ypldapd. If you don’t specify a full path, the 
file is placed in the root directory, /. 


Optional. 


Default 
pidfile /var/run/ypldapd.pid 


Recommended 


pidfile /var/run/ypldapd.pid 


Syntax 


pidfile filename 
Example 


pidfile /tmp/ypldapd.pid 


Enable or Disable Shadow Passwords 


Shadow passwords are not supported in this release. 


You must set this parameter to off or you will not be able to log in. 


Default 


hide_passwords no 


Valid Range 


on | off 


Syntax 


hide_passwords Boolean 
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hide_passwords no 
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User Tasks 


This chapter describes the following tasks your users will need to do: 
¢« “To Change Passwords” on page 53 


¢« “To Change Personal Information” on page 53, such as login shell, 
phone number and location 


To Change Passwords 


On HP-UX, users change their passwords with the passwd(1) command 
which changes /etc/passwd or the NIS maps or the yppasswd(1) 
command which changes the NIS maps. With users’ passwords in the 
directory, they must use a different method of changing their password. 


Users change their password with the Idappasswd command. This 
command is similar to the yppasswd command. It changes a user’s 
password in the LDAP directory. For details on this command, see “The 
Idappasswd Command” on page 32. 


You can make Idappasswd available to your users by installing it on all 
your client systems or putting it on a central system accessible to your 
users. 


Alternatively, your users can use a simple LDAP gateway through a web 
browser connected to the directory to change their password. The 
advantage to this method is that they can also change their other 
personal information as described below. 


To Change Personal Information 
On HP-UX, users change their personal information (or gecos 


information) such as full name, phone number, and location with the 
chfn(1) command which changes /etc/passwd or the NIS maps. HP-UX 
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users change their login shell with the chsh(1) command, which also 
changes /etc/passwd or the NIS maps. With this personal information in 
the directory, they must use a different method to change it. 


If you have Netscape Directory Server for HP-UX, you can use the 
Netscape Console or the |Idapmodify command to change personal 
information. Or you can use a simple LDAP gateway through a web 
browser to display and change this information. 


Chapter 5 





Glossary 


See also the Glossary in the Netscape 
Directory Server for HP-UX Administrator’s 
Guide available at 
http://docs.hp.com/hpux/internet. 


Access Control Instruction A 
specification controlling access to entriesina 
directory. 


Access Control List One or more ACls. 
ACI See See Access Control | nstruction 
ACL See SeeAccess Control List. 


IETF Internet Engineering Task Force; the 
organization that defines the LDAP 
specification. See http:/Awww.ietf.org. 


LDAP SeeSee Lightweight Directory Access 
Protocol 


LDIF SeeSeeLDAP Data Interchange 
Format 


LDAP Data Interchange Format (LDIF) 


The format used to represent directory 
server entries in text form. 


Idappasswd A command to change a user's 
password in the LDAP directory. 


Lightweight Directory Access Protocol 
(LDAP) A standard, extensible set of 
conventions specifying communication 
between clients and servers across TCP/IP 
network connections. Seealso Seealso 
SLAPD. 


Network Information Service (NIS) A 
distributed database system providing 
centralized management of common 
configuration files, such as /etc/passwd and 
/etc/hosts. 


NIS SeeSee Network Information Service 


RFC Request for Comments; a document 
and process of standardization from the 
IETF. 


RFC 2307 The lETF specification for using 
LDAP as a Network Information Service; 
required by the NIS/LDAP Gateway. See 
http://www. ietf.org/rfc/rfc2307.txt. 


SLAPD The University of Michigan's 
stand-alone implementation of LDAP, 
without the need for an X.500 directory. 


ypldapd The NIS/LDAP Gateway daemon. 
It replaces the NIS ypserv daemon by 
accepting NIS client requests and getting 
the requested information from an LDAP 
directory rather than from NIS maps. 
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